MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86ccb3501f458d9be3d7e62627d533cb83d2786c8325b1e03ed74bec21eedfd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86ccb3501f458d9be3d7e62627d533cb83d2786c8325b1e03ed74bec21eedfd2
SHA3-384 hash: 697efd84a9da837cc9cf50d070d7704d56f2e9626d426754e938f730dcf39f8ca6982d27a3611f812567fe87a822d3cb
SHA1 hash: 6658313ad265296019316e40fb9472b6e9ca0b73
MD5 hash: 6d23b888aca37f70416c0c1ab0869196
humanhash: uncle-zebra-potato-mirror
File name:Swift MT103_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:458'948 bytes
First seen:2023-11-22 15:16:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 12288:iRrcoeMLX4sUK3k5uvuamco1+eoFeZ0uvAttS7on:9gX8gk5Wmco1+egAo7
Threatray 193 similar samples on MalwareBazaar
TLSH T187A4DFCEE71198E5EC635275657EDE33462B9C6E6858288A25D77E373C31093303A88F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c4c0ccc8ccf4d4fc (23 x NetWire, 14 x AveMariaRAT, 11 x Formbook)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
353
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459733/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.11988.32366.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Sending a custom TCP request
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/86ccb3501f458d9be3d7e62627d533cb83d2786c8325b1e03ed74bec21eedfd2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e543ca38-2efe-4d30-8447-a1bf954909af
Result
Threat name:
FormBook, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1346498
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1346498 Sample: Swift_MT103_pdf.exe Startdate: 22/11/2023 Architecture: WINDOWS Score: 100 32 www.winsup.xyz 2->32 34 www.unisocks.live 2->34 36 16 other IPs or domains 2->36 46 Snort IDS alert for network traffic 2->46 48 Multi AV Scanner detection for domain / URL 2->48 50 Malicious sample detected (through community Yara rule) 2->50 54 6 other signatures 2->54 11 Swift_MT103_pdf.exe 17 2->11         started        signatures3 52 Performs DNS queries to domains with low reputation 32->52 process4 file5 30 C:\Users\user\AppData\Local\Temp\znlafs.exe, PE32 11->30 dropped 14 znlafs.exe 11->14         started        process6 signatures7 64 Multi AV Scanner detection for dropped file 14->64 66 Detected unpacking (changes PE section rights) 14->66 68 Machine Learning detection for dropped file 14->68 70 2 other signatures 14->70 17 znlafs.exe 14->17         started        process8 signatures9 44 Maps a DLL or memory area into another process 17->44 20 NlrxZVLnKiOBZZYCjyajGSArkQ.exe 17->20 injected process10 process11 22 cipher.exe 13 20->22         started        signatures12 56 Tries to steal Mail credentials (via file / registry access) 22->56 58 Tries to harvest and steal browser information (history, passwords, etc) 22->58 60 Writes to foreign memory regions 22->60 62 3 other signatures 22->62 25 NlrxZVLnKiOBZZYCjyajGSArkQ.exe 22->25 injected 28 firefox.exe 22->28         started        process13 dnsIp14 38 www.winsup.xyz 203.161.53.83, 49737, 49738, 49739 VNPT-AS-VNVNPTCorpVN Malaysia 25->38 40 www.purelyunorthodox.com 154.204.19.73, 49745, 49746, 49747 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 25->40 42 10 other IPs or domains 25->42
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/86ccb3501f458d9be3d7e62627d533cb83d2786c8325b1e03ed74bec21eedfd2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/86ccb3501f458d9be3d7e62627d533cb83d2786c8325b1e03ed74bec21eedfd2/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2023-11-22 08:46:19 UTC
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q3glgua7iwgzxy6x4ytcpvjtzob5e6dmqms3dyb625f6yipo37ja._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4169bc8ef83d44e5cd72de2f88c40602f7840d578e1ec0bbdd9b2a874bb75c4c
Formbook
900d518389fffe99ee1fd546a9af47aeb109b0d8500139fdb3155d6916afd810
Formbook
afa3fdb1128e9f1c66459130cd28486858ed1e04ef553f7e51f06fc70a9cda0f
Formbook
bca02faf8b705cffad72deb87ef895ce6626636d498e05b274b079c9ace3dc5b
Formbook
d860f7f4cd3767f61baa052dba19ab8df2c1f1e1b76a7a86eff40a676ba391ad
Formbook
eb579b2da7f6601c803c0231f0528e99c38ccfe3d84349717f744684c125967b
Formbook
ecc081d22527f522ace5ca77d6991d355985b268f718e3ec60826d94dd8081d8
Formbook
+ 183 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231122-sn1y9sdh7w/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
68473df2a30cea3da3c571245a817660f0e25d1297b8a7f921a9709e3dfc0b85
MD5 hash:
62a88fa2885657d4309c898f4cf9aa07
SHA1 hash:
34b3292bd3cfe627fa2dd9c1a72f9a6fe7ae5402
Link:
https://www.unpac.me/results/64f772ec-c3b3-46ac-b376-5724d00e913e/
SH256 hash:
86ccb3501f458d9be3d7e62627d533cb83d2786c8325b1e03ed74bec21eedfd2
MD5 hash:
6d23b888aca37f70416c0c1ab0869196
SHA1 hash:
6658313ad265296019316e40fb9472b6e9ca0b73
Link:
https://www.unpac.me/results/64f772ec-c3b3-46ac-b376-5724d00e913e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/86ccb3501f45/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/86ccb3501f458d9be3d7e62627d533cb83d2786c8325b1e03ed74bec21eedfd2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 86ccb3501f458d9be3d7e62627d533cb83d2786c8325b1e03ed74bec21eedfd2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/459733/

Comments